We use cookies to collect anonymous data to help us improve your site browsing experience.

Click 'Accept all cookies' to agree to all cookies that collect anonymous data. To only allow the cookies that make the site work, click 'Use essential cookies only.' Visit 'Set cookie preferences' to control specific cookies.

Set cookie preferences

Your cookie preferences have been saved. You can change your cookie settings at any time.

ScotAccount Privacy Notice

Last updated
24th January 2024

This privacy notice sets out how ScotAccount uses your personal data when you create your ScotAccount.

ScotAccount is run by the Scottish Government, who act as the data controller for your information.

Personal data collected by ScotAccount for account creation and sign in

When you create a ScotAccount, you'll be asked to provide:

  • an email address
  • a mobile number
  • a password

A random unique identifier, known as a "GUID", will be assigned to your account. Your account's GUID will be shared with a public body if you interact with them through our service.

ScotAccount allows you to store verified information about yourself, and to share this with other public bodies when required. Information is only stored and shared when you log in and agree to this.

Why we collect this personal data

This information is used to create your ScotAccount and make sure only you can sign in to it. When you create an account, sign in or change any of this personal data we will send messages to confirm this, including one time passcodes. We use GOV.UK Notify to send these messages. We also use some personal data to keep accounts secure, and to work out if someone is attempting to access your ScotAccount when they shouldn't.

We may use your email address to contact you about your ScotAccount, but only if we need to.

Personal data collected when verifying your identity

Some services partnered with ScotAccount will require you to verify who you are before youre allowed access. To verify who you are, you'll need to provide:

  • an image of yourself
  • an image of an official piece of identification, such as your driving licence or passport
  • your home address
  • your date of birth

Why we collect this personal data

When you provide these details, they will be transferred to Experian, our data processor, and Mitek, our data sub-processor, to be checked.

Once confirmed, the data used will be deleted and not used for any further purpose by the Scottish Government, our processor, or any further sub-processors.

Personal data collected for security monitoring

The Scottish Government processes some personal data for security monitoring purposes. This includes your:

  • IP address
  • GUID

Why we collect this personal data

Security monitoring makes sure:

  • the data associated with accounts is secure
  • outside attacks and misuse are detected

Security monitoring identifies:

  • failed sign in attempts - this is so multiple attempts can be identified
  • the geographic location of sign ins - this is to identify issues such as a user logging in from Edinburgh and then logging in from Australia a few minutes later, which would indicate that a third party has accessed the account

All data we collect for security monitoring is "pseudonymised". This means the data cannot be used to identify you directly. Access to this data is limited to the Scottish Government's Security Operations Centre.

The legal basis

It is lawful for us to use your data under the basis of a task in the public interest. It is lawful for us to use special category data (biometric data) for reasons of substantial public interest.

When you agree to store information in your ScotAccount, or to share it to another public body, you are doing so under the lawful bases of consent and explicit consent.

Withholding consent to store information in ScotAccount means it will be deleted after you have completed the action you are currently undertaking. You will not be able to re-use this information in the future with other public bodies without completing verification process again.

Withholding consent to share information with public bodies means you will have to complete the verification process or access the service in another way.

How long we keep your personal data

Your sign-in data will be kept for as long as you choose to have your ScotAccount. Maintaining your ScotAccount personal data is necessary for it to function.

Information held in ScotAccount will be retained until you decide to remove it, which can be done at any time while logged in to ScotAccount.

Information shared to public bodies will be subject to the retention schedule of those organisations.

You can delete your ScotAccount at any time.

If you start creating your ScotAccount but do not finish, we will store any personal data you've entered for a week before removing it. Once your data has been removed, you will need to restart the account creation process if you still want a ScotAccount.

The biometric data used for identity verification will be stored until verification is completed. Although the process should only take a few minutes, it may be stored for a maximum of one week while awaiting completion of verification. It is not re-used for any other purposes beyond this.

Security monitoring data is retained for six months, in line with National Cyber Security Centre standards.

GOV.UK Notify retain your phone number or email address for 7 days when we send you a message.

Experian is required to keep a record of the soft credit check they carry out for 12 months.

Read more about Experian's searches and credit checks.

Who your data will be shared with

If you are interacting with a Scottish public body some information will be provided to them.

  • For signing in this is your account's GUID (unique identifier).

If they have requested an identification check this includes:

  • the result of your identification check
  • the name, address and date of birth that were verified

They will not have access to any other data.

The Scottish Government has employed a number of third party organisations who may have access to your data. In each case they have only been provided with the minimum amount of personal data in order to operate the ScotAccount service.

These organisations are:

  • Experian
  • Mitek
  • Cifas
  • Amazon Web Services (AWS)
  • GOV.UK Notify
  • Scott Logic

Experian

Experian is a credit reference agency appointed as a data processor by the Scottish Government, in order to provide the identity verification service for ScotAccount. Experian holds data from sources such as the electoral register and will ensure that the data you've provided matches their sources.

Experian will use their databases to carry out a soft credit check on your personal data.

The checks carried out by Experian will not impact your credit score.

The Scottish Government will not be able to see the data Experian checks. Experian only provides the Scottish Government with the result of the check.

Read about Experian's use of your data

Mitek

Experian sub-contracts to Mitek as part of the identity verification process. Mitek uses the images you take during the identity verification process to compare the image of your face to the image of your official document: passport.

Both Experian and Mitek are subject to legally binding contracts tying the use of your data to the purposes outlined in this privacy notice, and do not have access to data in your ScotAccount.

Cifas

The personal information we have collected from you will be shared with fraud prevention agencies who will use it to prevent fraud and money-laundering and to verify your identity. If fraud is detected, you could be refused certain services, finance, or employment. Further details of how your information will be used by us and these fraud prevention agencies, and your data protection rights, can be found at https://www.cifas.org.uk/fpn.

Your rights

Data protection legislation provides a number of rights in relation to your personal data. These are the right:

  • to be informed about the use of your personal data - this is done through this privacy notice
  • of access - this allows you to access copies of the personal data we hold about you
  • of rectification - this allows you to ask us to correct any personal data we hold about you that is verifiably wrong
  • of erasure - this allows you to ask us to delete any personal data we hold about you
  • to restrict processing - this allows you to ask us to restrict how we use your data
  • to object - this allows you to object to our use of your data

If you make a rights request to the Scottish Government, we must respond within one calendar month, unless an extension can reasonably be applied. These rights are not absolute, and may be subject to exemptions. Any exemptions applied to these rights will be made clear to you in the response to your request.

You can find more information about these rights on the website of the Information Commissioner's Office, the regulatory body for data protection in the UK.

Further contacts

If you have any questions about the handling of your personal data, including about accessing, erasing or correcting any personal data held about you by ScotAccount, you should contact: ScotAccount@gov.scot.

If you are unhappy with the handling of your personal data and wish to raise a formal complaint, you can do so by contacting the Scottish Government's Data Protection Officer:

Address

Data Protection Officer
Victoria Quay
Commercial Street
Edinburgh
EH6 6QQ

Email

dataprotectionofficer@gov.scot.


If, having followed our internal complaints process, you are still unhappy about the handling of your personal data, you have the right to make a further complaint to the Information Commissioner's Office: https://ico.org.uk/make-a-complaint/your-personal-information-concerns/

Get help with this page

If you need help, you can contact us.

Tell us:

  • what you're trying to do
  • what the problem is

We'll reply to you by email. It may take us up to two working days to get back to you.

Note: Your feedback will help us make improvements on this site. Please do not provide any personal information

Back to top